DEV Community

Cover image for AWS CloudTrail - Create a multi-region workflow to track user and API activity on your AWS account
Wendy Wong for AWS Community Builders

Posted on • Edited on

AWS CloudTrail - Create a multi-region workflow to track user and API activity on your AWS account

Do you need more security for your AWS account?

In the previous blog I implemented several steps to reduce costs and protect unauthorized user access to an AWS account.

rootaccount

These remediation steps included:

a) Block public access to S3 buckets enabled
b) Linking Multi-Factor Authentication (MFA) to your AWS Root Account
c) Cleaning up and deleting inactive AWS services
d) Deleting Users that are not listed under AWS IAM
e) Resetting the passwords to your AWS IAM and Root accounts
f) Resetting the passwords to your email accounts
g) Creating MFA on your email accounts
h) Monitor for AWS service usage using AWS Cloud Watch
i) Creating a Cost Anomaly Detection Report from AWS Cost Explorer

If you would like to monitor unauthorized access by a user you may also create an AWS CloudTrail.

AWS CloudTrail

AWS CloudTrail may be used for compliance by providing an audit review of user actions and API usage by monitoring the event from a user, role or AWS service as an event with log data stored in a S3 bucket.

CloudTrail may monitor and record the user actions across all AWS services by creating trail in a single region or multiple regions.

Architecture

The architecture of a CloudTrail workflow is shown below in the AWS diagram:

architecture

The workflow commences with:

Step 1: Unusual user or API activity is recorded by CloudTrail

Step 2: Event history logs is stored in a S3 bucket created by CloudTrail

Step 3: Unusual user or API activity is monitored, the recorded event history for the last 90 days may be viewed by creating an optional insights events dashboard which may be downloaded as a csv or json file.

Step 4: The CloudTrail console will analyze recent events

Tutorial 1: Create a CloudTrail for multiple regions using the AWS Console

Step 1: Ensure you have created an AWS account

Step 2: Create IAM permissions for CloudTrail

Step 3: Navigate to the search bar and type the word CloudTrail

Inavigate tobar

Step 4: On the CloudTrail homepage, click the orange button Create a trail

create trail

Step 5: Create a name for the trail that describes the purpose of the trail.

Step 6: Click Create new S3 bucket and provide a name for the S3 bucket created by CloudTrail. Click Next

The diagram below is confirmation of the creation of the S3 bucket:

trail created

Step 7: Under Choose log events you may retain the default settings and select Save Changes.

management

Step 8: There is confirmation of the creation of the CloudTrail

trail

You may navigate to recent trail events from the CloudTrail dashboard.

trail dashn

Tutorial 2 (Optional): Add Insights Events

CloudTrail is available under the AWS Free Tier and please review pricing of Insights Events here as you may incur additional charges.

Step 1: Click into the created CloudTrail and scroll down to Events and click Edit, Check the box 'insights events'.

check box

Step 2: Check the box Insight Events and then check the last two boxes 'API error rate' and 'API call rate'.

click insight events

After 24 hours you will be able to view insights from your dashboard.

insight graph

Tutorial 3 (Optional): Create Cloud Watch on CloudTrail

Navigate to CloudWatchLogs and click 'enabled' and Save Changes.

cloudwatch

Conclusion

You will have the peace of mind to allow AWS CloudTrail to track all user and API activity across your AWS services in multiple regions, where log data is stored in your S3 bucket to review for audit purposes. You will also have access to a dashboard to visualize more granular insights that you may require to help you understand event history for your AWS account.

Until next time, happy learning! 😁

Resources

What is AWS CloudTrail?

Create a CloudTrail using AWS Console

Create Insight Events

Join us for AWS re:Inforce conference

Next week is AWS re:Inforce conference, 26-27 July 📆

A learning conference on compliance, privacy and identity 🔐🛠️

• Register to watch the keynote & sessions streamed live online 📺

• Link: https://reinforce.awsevents.com

Reinforce

Top comments (0)